diff --git a/CHANGELOG b/CHANGELOG
index 1978847..b712577 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,7 @@ Revision history for Lufi
- 🐛 Fix mail signature separator
- 💄 Disable signature when using LDAP (#249)
- 🌐 Update translations
+ - 🔒 Fix XSS where using zip feature (#254)
0.05.14 2021-06-16
- 🔧 Set default morbo port to 3000 (as it should have stay)
diff --git a/themes/default/public/js/lufi-down.js b/themes/default/public/js/lufi-down.js
index b117adf..ee1f666 100644
--- a/themes/default/public/js/lufi-down.js
+++ b/themes/default/public/js/lufi-down.js
@@ -145,9 +145,9 @@ function spawnWebsocket(pa) {
zip.forEach(function (relativePath, zipEntry) {
innerHTML.push(
'',
- zipEntry.name,
+ escapeHtml(zipEntry.name),
' (', filesize(zipEntry._data.uncompressedSize, {base: 10}), ') ',
- '',
+ '',
'',
'',
''
diff --git a/themes/default/public/js/lufi-up.js b/themes/default/public/js/lufi-up.js
index 8776fde..2b7ef68 100644
--- a/themes/default/public/js/lufi-up.js
+++ b/themes/default/public/js/lufi-up.js
@@ -102,7 +102,7 @@ function firstViewClicking() {
}
// When clicking on zip checkbox
-function zipClicking () {
+function zipClicking() {
if ($('#zip-files').attr('data-checked') && $('#zip-files').attr('data-checked') === 'data-checked') {
window.zipSize = 0;
window.zip = null;
@@ -249,7 +249,7 @@ function handleFiles(f) {
$('#zip-size').text(filesize(window.zipSize));
$('#zip-parts').append([
'',
- '— ', filename, ' (', filesize(element.size), ')',
+ '— ', escapeHtml(filename), ' (', filesize(element.size), ')',
''
].join(''));
}